Vulnerability

Automatic updates are disabled by default. After enabling it, OpenElec connects to http://update.openelec.tv/updates.php to find out if there is an update for a newer version. If there is a newer version, openelec will download it from http://releases.openelec.tv/<version>.tar(or any other url returned by update.openelec.tv).

The auto-update feature of OpenElec does neither use encrypted connections nor does it use signed updates. A Man-In-The-Middle could manipulate the update-packages to gain root-access remotely.

In order to run the downloaded firmware, the OpenElec-system has to be rebooted. So at this point user-interaction is required.

Exploit

The following code downloads an openelec-firmware, extracts it, places a reverse-shell into the kodi-startscript and finally generates a backdoored firmware: